Stop booting in RK3188 #117

dcostan · 2018-08-11T09:35:10Z

Hello all
I have a chinese board with RK3188 and I tried to build and use this kernel with Radxa Rock device tree. Unfortunately the boot process stops after a few seconds and it doesn't go on. Here is the serial

DDR Version 1.04 20140217
In
DDR3
300MHz
Bus Width=32 Col=10 Bank=8 Row=16 CS=1 Die Bus-Width=8 Size=2048MB
Memory OK
OUT


barebox 2016.02.0 #18 Sat Mar 5 09:20:35 CET 2016


Board: Radxa Rock
clk_register clk xin24m is already registered, skipping!

of_clk_init: failed to init clock for /oscillator: 1

arc-emac 10204000.ethernet: ARC EMAC detected with id: 0x7fd02
mdio_bus: miibus0: probed
dw_mmc 10214000.dwmmc: registered as 10214000.dwmmc
mshc1: detected SD card version 1.0
mshc1: registered mshc1
netconsole: registered as netconsole-1
i2c-gpio i2c-gpio0: using pins 58 (SDA) and 59 (SCL)
malloc space: 0x9ff7d800 -> 0xdfefafff (size 1023.5 MiB)
envfs: wrong magic
running /env/bin/init...

Hit any key to stop autoboot:  3 2 1 0
blspec: blspec_scan_directory: /mnt/mshc1.0 loader/entries
ext4 ext40: EXT2 rev 1, inode_size 256
blspec: blspec_scan_directory: /mnt/mshc1.1 loader/entries
blspec: blspec_scan_directory: mshc1 loader/entries
blspec: booting Debian
 from mshc1

Loading ARM Linux zImage '/mnt/mshc1.0/rk3188-radxarock.img.neww
'
Loading devicetree from '/mnt/mshc1.0/rk3188-radxarock.dtb.neww
'
commandline:  console=ttyS2,115200 console=tty0 console=ttyS2,115200 root=/dev/mmcblk0p2 rootdelay=3 rootfstype=ext4 rw clocksource=jiffies earlyprintk debug
  
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.4.143 (matlin@matlin-PC) (gcc version 7.3.1 20180425 [linaro-7.3-2018.05 revision d29120a424ecfbc167ef90065c0eeb7f91977701] (Linaro GCC 7.3-2018.05) ) #5 SMP Wed Aug 8 15:48:09 CEST 2018
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Radxa Rock
[    0.000000] cma: Reserved 16 MiB at 0xdf000000
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] On node 0 totalpages: 524288
[    0.000000] free_area_init_node: node 0, pgdat c10d5bc0, node_mem_map eeffa000
[    0.000000]   Normal zone: 1536 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 196608 pages, LIFO batch:31
[    0.000000]   HighMem zone: 327680 pages, LIFO batch:31
[    0.000000] PERCPU: Embedded 14 pages/cpu @eef9d000 s24728 r8192 d24424 u57344
[    0.000000] pcpu-alloc: s24728 r8192 d24424 u57344 alloc=14*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 522752
[    0.000000] Kernel command line:  console=ttyS2,115200 console=tty0 console=ttyS2,115200 root=/dev/mmcblk0p2 rootdelay=3 rootfstype=ext4 rw clocksource=jiffies earlyprintk debug
  
[    0.000000] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Memory: 2046320K/2097152K available (10240K kernel code, 892K rwdata, 2912K rodata, 1024K init, 582K bss, 34448K reserved, 16384K cma-reserved, 1294336K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xf0800000 - 0xff800000   ( 240 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xf0000000   ( 768 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0008000 - 0xc0b00000   (11232 kB)
[    0.000000]       .init : 0xc0f00000 - 0xc1000000   (1024 kB)
[    0.000000]       .data : 0xc1000000 - 0xc10df274   ( 893 kB)
[    0.000000]        .bss : 0xc10e1000 - 0xc11729f0   ( 583 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] 	Build-time adjustment of leaf fanout to 32.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000022] sched_clock: 64 bits at 150MHz, resolution 6ns, wraps every 2199023255551ns
[    0.000059] clocksource: arm_global_timer: mask: 0xffffffffffffffff max_cycles: 0x2298375bd0, max_idle_ns: 440795208267 ns
[    0.001765] Console: colour dummy device 80x30
[    0.003095] console [tty0] enabled
[    0.003167] Calibrating delay loop... 1196.85 BogoMIPS (lpj=5984256)
[    0.090372] pid_max: default: 32768 minimum: 301
[    0.090580] Security Framework initialized
[    0.090638] Yama: becoming mindful.
[    0.090779] Mount-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.090850] Mountpoint-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.092316] Initializing cgroup subsys devices
[    0.092414] Initializing cgroup subsys freezer
[    0.092522] CPU: Testing write buffer coherency: ok
[    0.092631] ftrace: allocating 39052 entries in 115 pages
[    0.199862] CPU0: update cpu_capacity 1024
[    0.199935] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.200122] Setting up static identity map for 0x60100000 - 0x60100058
[    0.207781] Brought up 1 CPUs
[    0.207854] SMP: Total of 1 processors activated (1196.85 BogoMIPS).
[    0.207892] CPU: All CPU(s) started in SVC mode.
[    0.209480] devtmpfs: initialized
[    0.221134] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[    0.222135] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.222263] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.225293] pinctrl core: initialized pinctrl subsystem
[    0.227488] NET: Registered protocol family 16
[    0.230080] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.232789] cpuidle: using governor ladder
[    0.232881] cpuidle: using governor menu
[    0.232961] Registered FIQ tty driver
[    0.245192] gpiochip_add_data: registered GPIOs 0 to 31 on device: gpio0
[    0.245475] gpiochip_add_data: registered GPIOs 32 to 63 on device: gpio1
[    0.245771] gpiochip_add_data: registered GPIOs 64 to 95 on device: gpio2
[    0.246032] gpiochip_add_data: registered GPIOs 96 to 127 on device: gpio3
[    0.252526] hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
[    0.252613] hw-breakpoint: maximum watchpoint size is 4 bytes.
[    0.281170] of_get_named_gpiod_flags: parsed 'gpio' property of node '/usb-otg-regulator[0]' - status (0)
[    0.282054] of_get_named_gpiod_flags: parsed 'gpio' property of node '/sdmmc-regulator[0]' - status (0)
[    0.282638] sdmmc-supply: regulator get failed, ret=-517
[    0.283040] of_get_named_gpiod_flags: parsed 'gpio' property of node '/usb-host-regulator[0]' - status (0)
[    0.283881] of_get_named_gpiod_flags: can't parse 'gpio' property of node '/vsys-regulator[0]'
[    0.286148] SCSI subsystem initialized
[    0.286843] usbcore: registered new interface driver usbfs
[    0.287040] usbcore: registered new interface driver hub
[    0.287520] usbcore: registered new device driver usb
[    0.287900] media: Linux media interface: v0.10
[    0.288051] Linux video capture interface: v2.00
[    0.288185] pps_core: LinuxPPS API ver. 1 registered
[    0.288229] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.288336] PTP clock support registered
[    0.290236] Advanced Linux Sound Architecture Driver Initialized.
[    0.291691] Bluetooth: Core ver 2.21
[    0.291837] NET: Registered protocol family 31
[    0.291886] Bluetooth: HCI device and connection manager initialized
[    0.291944] Bluetooth: HCI socket layer initialized
[    0.291996] Bluetooth: L2CAP socket layer initialized
[    0.292101] Bluetooth: SCO socket layer initialized
[    0.409955] NET: Registered protocol family 2
[    0.411335] TCP established hash table entries: 8192 (order: 3, 32768 bytes)
[    0.411559] TCP bind hash table entries: 8192 (order: 5, 163840 bytes)
[    0.411986] TCP: Hash tables configured (established 8192 bind 8192)
[    0.412180] UDP hash table entries: 512 (order: 2, 24576 bytes)
[    0.412291] UDP-Lite hash table entries: 512 (order: 2, 24576 bytes)
[    0.412782] NET: Registered protocol family 1
[    0.413701] RPC: Registered named UNIX socket transport module.
[    0.413772] RPC: Registered udp transport module.
[    0.413807] RPC: Registered tcp transport module.
[    0.413840] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.418556] Initialise system trusted keyring
[    0.437475] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.441768] NFS: Registering the id_resolver key type
[    0.441881] Key type id_resolver registered
[    0.441926] Key type id_legacy registered
[    0.442012] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[    0.443344] fuse init (API version 7.23)
[    0.455285] jitterentropy: Initialization failed with host not compliant with requirements: 2
[    0.455820] NET: Registered protocol family 38
[    0.455945] Key type asymmetric registered
[    0.456010] Asymmetric key parser 'x509' registered
[    0.456196] bounce: pool size: 64 pages
[    0.456639] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 247)
[    0.456753] io scheduler noop registered
[    0.456813] io scheduler deadline registered
[    0.456941] io scheduler cfq registered (default)
[    0.465623] dma-pl330 20018000.dma-controller: Loaded driver for PL330 DMAC-241330
[    0.465721] dma-pl330 20018000.dma-controller: 	DBUFF-32x8bytes Num_Chans-6 Num_Peri-12 Num_Events-12
[    0.470158] dma-pl330 20078000.dma-controller: Loaded driver for PL330 DMAC-241330
[    0.470253] dma-pl330 20078000.dma-controller: 	DBUFF-64x8bytes Num_Chans-7 Num_Peri-20 Num_Events-14
[    0.472143] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    0.475742] 10124000.serial: ttyS0 at MMIO 0x10124000 (irq = 22, base_baud = 1500000) is a 16550A
[    0.477354] 10126000.serial: ttyS1 at MMIO 0x10126000 (irq = 23, base_baud = 1500000) is a 16550A
[    0.479018] console [ttyS2] disabled
[    0.479205] 20064000.serial: ttyS2 at MMIO 0x20064000 (irq = 30, base_baud = 1500000) is a 16550A
[    1.373506] console [ttyS2] enabled
[    1.378975] 20068000.serial: ttyS3 at MMIO 0x20068000 (irq = 31, base_baud = 1500000) is a 16550A
[    1.391560] [drm] Initialized drm 1.1.0 20060810
[    1.399586] usbcore: registered new interface driver udl
[    1.409777] brd: module loaded
[    1.428425] loop: module loaded
[    1.433928] zram: Added device: zram0
[    1.438175] lkdtm: No crash points registered, enable through debugfs
[    1.446961] tun: Universal TUN/TAP device driver, 1.6
[    1.452791] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>

In addition mainline kernel from Torvalds boots, however it does not contain board specific drivers
Thank you all

The text was updated successfully, but these errors were encountered:

…ream spinlock The change protects almost the whole body of u_audio_iso_complete() function by PCM stream lock, this is mainly sufficient to avoid a race between USB request completion and stream termination, the change prevents a possibility of invalid memory access in interrupt context by memcpy(): Unable to handle kernel paging request at virtual address 00004e80 pgd = c0004000 [00004e80] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ #117 task: da180b80 ti: da192000 task.ti: da192000 PC is at memcpy+0x50/0x330 LR is at 0xcdd92b0e pc : [<c029ef30>] lr : [<cdd92b0e>] psr: 20000193 sp : da193ce4 ip : dd86ae26 fp : 0000b180 r10: daf81680 r9 : 00000000 r8 : d58a01ea r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377 r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 2b70804a DAC: 00000015 Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238) Also added a check for potential !runtime condition, commonly it is done by PCM_RUNTIME_CHECK(substream) in the beginning, however this does not completely prevent from oopses in u_audio_iso_complete(), because the proper protection scheme must be implemented in PCM library functions. An example of *not fixed* oops due to substream->runtime->* dereference by snd_pcm_running(substream) from snd_pcm_period_elapsed(), where substream->runtime is gone while waiting the substream lock: Unable to handle kernel paging request at virtual address 6b6b6b6b pgd = db7e4000 [6b6b6b6b] *pgd=00000000 CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ #118 task: db5ac500 ti: db60c000 task.ti: db60c000 PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm] LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm] pc : [<>] lr : [<>] psr: 60000193 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 2b7e404a DAC: 00000015 Process klogd (pid: 193, stack limit = 0xdb60c238) [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc) [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304) [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c) [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c) [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110) [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30) [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0) [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60) [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78) Change-Id: I0b0e20f1aaf7c093c7fc198128186cfb637bdbf4 Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com> [erosca: W/o this patch, with minimal instrumentation [1], I can consistently reproduce BUG: KASAN: use-after-free [2]] [1] Instrumentation to reproduce issue [2]: diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c index a72295c953bb..bd0b308024fe 100644 --- a/drivers/usb/gadget/function/u_audio.c +++ b/drivers/usb/gadget/function/u_audio.c @@ -16,6 +16,7 @@ #include <sound/core.h> #include <sound/pcm.h> #include <sound/pcm_params.h> +#include <linux/delay.h> #include "u_audio.h" @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) spin_unlock_irqrestore(&prm->lock, flags); + udelay(500); //delay here to increase probability of parallel activities + /* Pack USB load in ALSA ring buffer */ pending = prm->dma_bytes - hw_ptr; [2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board: ================================================================== BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio] Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ #160 Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) Call trace: [<ffff2000080925ac>] dump_backtrace+0x0/0x364 [<ffff200008092924>] show_stack+0x14/0x1c [<ffff200008f8dbcc>] dump_stack+0x108/0x174 [<ffff2000083c71b8>] print_address_description+0x7c/0x32c [<ffff2000083c78e8>] kasan_report+0x324/0x354 [<ffff2000083c6114>] __asan_load8+0x24/0x94 [<ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio] [<ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core] [<ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs] [<ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs] [<ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs] [<ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs] [<ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58 [<ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c [<ffff2000081a0928>] handle_irq_event+0xb0/0x10c [<ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec [<ffff20000819e5f8>] generic_handle_irq+0x2c/0x44 [<ffff20000819f0d0>] __handle_domain_irq+0x190/0x194 [<ffff20000808177c>] gic_handle_irq+0x80/0xac Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0) 7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298 7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88 7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b 7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001 7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80 7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480 7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980 7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0 7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498 7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0 [<ffff200008084034>] el1_irq+0xb4/0x12c [<ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844 [<ffff200008b6c59c>] cpuidle_enter+0x18/0x20 [<ffff20000815f2e4>] call_cpuidle+0x98/0x9c [<ffff20000815f674>] do_idle+0x214/0x264 [<ffff20000815facc>] cpu_startup_entry+0x20/0x24 [<ffff200008fb09d8>] rest_init+0x30c/0x320 [<ffff2000095f1338>] start_kernel+0x570/0x5b0 ---<-snip->--- Fixes: 132fcb4 ("usb: gadget: Add Audio Class 2.0 Driver") Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: William Wu <william.wu@rock-chips.com> (cherry picked from commit 56bc615)

[ Upstream commit ee74d0b ] In case x25_connect() fails and frees the socket neighbour, we also need to undo the change done to x25->state. Before my last bug fix, we had use-after-free so this patch fixes a latent bug. syzbot report : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 16137 Comm: syz-executor.1 Not tainted 5.0.0+ #117 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:x25_write_internal+0x1e8/0xdf0 net/x25/x25_subr.c:173 Code: 00 40 88 b5 e0 fe ff ff 0f 85 01 0b 00 00 48 8b 8b 80 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 1c 48 89 fe 48 c1 ee 03 <0f> b6 34 16 48 89 fa 83 e2 07 83 c2 03 40 38 f2 7c 09 40 84 f6 0f RSP: 0018:ffff888076717a08 EFLAGS: 00010207 RAX: ffff88805f2f2292 RBX: ffff8880a0ae6000 RCX: 0000000000000000 kobject: 'loop5' (0000000018d0d0ee): kobject_uevent_env RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 000000000000001c RBP: ffff888076717b40 R08: ffff8880950e0580 R09: ffffed100be5e46d R10: ffffed100be5e46c R11: ffff88805f2f2363 R12: ffff888065579840 kobject: 'loop5' (0000000018d0d0ee): fill_kobj_path: path = '/devices/virtual/block/loop5' R13: 1ffff1100ece2f47 R14: 0000000000000013 R15: 0000000000000013 FS: 00007fb88cf43700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9a42a41028 CR3: 0000000087a67000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: x25_release+0xd0/0x340 net/x25/af_x25.c:658 __sock_release+0xd3/0x2b0 net/socket.c:579 sock_close+0x1b/0x30 net/socket.c:1162 __fput+0x2df/0x8d0 fs/file_table.c:278 ____fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x14a/0x1c0 kernel/task_work.c:113 get_signal+0x1961/0x1d50 kernel/signal.c:2388 do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457f29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fb88cf42c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000457f29 RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000004 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb88cf436d4 R13: 00000000004be462 R14: 00000000004cec98 R15: 00000000ffffffff Modules linked in: Fixes: 95d6ebd ("net/x25: fix use-after-free in x25_device_event()") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: andrew hendry <andrew.hendry@gmail.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Trivial fix to remove the following sparse warnings: arch/powerpc/kernel/module_32.c:112:74: warning: Using plain integer as NULL pointer arch/powerpc/kernel/module_32.c:117:74: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1155:28: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1230:20: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1385:36: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1752:23: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2084:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2110:32: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2167:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2183:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:277:20: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:155:67: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:247:27: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:249:27: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:252:37: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:127:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:148:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:44:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:57:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:87:21: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:160:31: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:167:22: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:274:21: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:285:31: warning: Using plain integer as NULL pointer arch/powerpc/include/asm/hugetlb.h:204:16: warning: Using plain integer as NULL pointer arch/powerpc/mm/ppc_mmu_32.c:170:21: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/pci.c:1227:23: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/pci.c:65:24: warning: Using plain integer as NULL pointer Also use `--fix` command line option from `script/checkpatch --strict` to remove the following: CHECK: Comparison to NULL could be written "!dispDeviceBase" rockchip-linux#72: FILE: arch/powerpc/kernel/btext.c:160: + if (dispDeviceBase == NULL) CHECK: Comparison to NULL could be written "!vbase" rockchip-linux#80: FILE: arch/powerpc/kernel/btext.c:167: + if (vbase == NULL) CHECK: Comparison to NULL could be written "!base" rockchip-linux#89: FILE: arch/powerpc/kernel/btext.c:274: + if (base == NULL) CHECK: Comparison to NULL could be written "!dispDeviceBase" rockchip-linux#98: FILE: arch/powerpc/kernel/btext.c:285: + if (dispDeviceBase == NULL) CHECK: Comparison to NULL could be written "strstr" rockchip-linux#117: FILE: arch/powerpc/kernel/module_32.c:117: + if (strstr(secstrings + sechdrs[i].sh_name, ".debug") != NULL) CHECK: Comparison to NULL could be written "!Hash" rockchip-linux#130: FILE: arch/powerpc/mm/ppc_mmu_32.c:170: + if (Hash == NULL) CHECK: Comparison to NULL could be written "Hash" rockchip-linux#143: FILE: arch/powerpc/mm/tlb_hash32.c:44: + if (Hash != NULL) { CHECK: Comparison to NULL could be written "!Hash" rockchip-linux#152: FILE: arch/powerpc/mm/tlb_hash32.c:57: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" rockchip-linux#161: FILE: arch/powerpc/mm/tlb_hash32.c:87: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" rockchip-linux#170: FILE: arch/powerpc/mm/tlb_hash32.c:127: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" rockchip-linux#179: FILE: arch/powerpc/mm/tlb_hash32.c:148: + if (Hash == NULL) { ERROR: space required after that ';' (ctx:VxV) rockchip-linux#192: FILE: arch/powerpc/platforms/powermac/pci.c:65: + for (; node != NULL;node = node->sibling) { CHECK: Comparison to NULL could be written "node" rockchip-linux#192: FILE: arch/powerpc/platforms/powermac/pci.c:65: + for (; node != NULL;node = node->sibling) { CHECK: Comparison to NULL could be written "!region" rockchip-linux#201: FILE: arch/powerpc/platforms/powermac/pci.c:1227: + if (region == NULL) CHECK: Comparison to NULL could be written "of_get_property" rockchip-linux#214: FILE: arch/powerpc/platforms/powermac/setup.c:155: + if (of_get_property(np, "cache-unified", NULL) != NULL && dc) { CHECK: Comparison to NULL could be written "!np" rockchip-linux#223: FILE: arch/powerpc/platforms/powermac/setup.c:247: + if (np == NULL) CHECK: Comparison to NULL could be written "np" rockchip-linux#226: FILE: arch/powerpc/platforms/powermac/setup.c:249: + if (np != NULL) { CHECK: Comparison to NULL could be written "l2cr" rockchip-linux#230: FILE: arch/powerpc/platforms/powermac/setup.c:252: + if (l2cr != NULL) { CHECK: Comparison to NULL could be written "via" rockchip-linux#243: FILE: drivers/macintosh/via-pmu.c:277: + if (via != NULL) CHECK: Comparison to NULL could be written "current_req" rockchip-linux#252: FILE: drivers/macintosh/via-pmu.c:1155: + if (current_req != NULL) { CHECK: Comparison to NULL could be written "!req" rockchip-linux#261: FILE: drivers/macintosh/via-pmu.c:1230: + if (req == NULL || pmu_state != idle CHECK: Comparison to NULL could be written "!req" rockchip-linux#270: FILE: drivers/macintosh/via-pmu.c:1385: + if (req == NULL) { CHECK: Comparison to NULL could be written "!pp" rockchip-linux#288: FILE: drivers/macintosh/via-pmu.c:2084: + if (pp == NULL) CHECK: Comparison to NULL could be written "!pp" rockchip-linux#297: FILE: drivers/macintosh/via-pmu.c:2110: + if (count < 1 || pp == NULL) CHECK: Comparison to NULL could be written "!pp" rockchip-linux#306: FILE: drivers/macintosh/via-pmu.c:2167: + if (pp == NULL) CHECK: Comparison to NULL could be written "pp" rockchip-linux#315: FILE: drivers/macintosh/via-pmu.c:2183: + if (pp != NULL) { Link: https://github.com/linuxppc/linux/issues/37 Signed-off-by: Mathieu Malaterre <malat@debian.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

The change protects almost the whole body of u_audio_iso_complete() function by PCM stream lock, this is mainly sufficient to avoid a race between USB request completion and stream termination, the change prevents a possibility of invalid memory access in interrupt context by memcpy(): Unable to handle kernel paging request at virtual address 00004e80 pgd = c0004000 [00004e80] *pgd=00000000 Internal error: Oops: 817 [FireflyTeam#1] PREEMPT SMP ARM CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ rockchip-linux#117 task: da180b80 ti: da192000 task.ti: da192000 PC is at memcpy+0x50/0x330 LR is at 0xcdd92b0e pc : [<c029ef30>] lr : [<cdd92b0e>] psr: 20000193 sp : da193ce4 ip : dd86ae26 fp : 0000b180 r10: daf81680 r9 : 00000000 r8 : d58a01ea r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377 r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 2b70804a DAC: 00000015 Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238) Also added a check for potential !runtime condition, commonly it is done by PCM_RUNTIME_CHECK(substream) in the beginning, however this does not completely prevent from oopses in u_audio_iso_complete(), because the proper protection scheme must be implemented in PCM library functions. An example of *not fixed* oops due to substream->runtime->* dereference by snd_pcm_running(substream) from snd_pcm_period_elapsed(), where substream->runtime is gone while waiting the substream lock: Unable to handle kernel paging request at virtual address 6b6b6b6b pgd = db7e4000 [6b6b6b6b] *pgd=00000000 CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ rockchip-linux#118 task: db5ac500 ti: db60c000 task.ti: db60c000 PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm] LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm] pc : [<>] lr : [<>] psr: 60000193 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 2b7e404a DAC: 00000015 Process klogd (pid: 193, stack limit = 0xdb60c238) [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc) [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304) [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c) [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c) [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110) [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30) [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0) [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60) [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78) Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com> [erosca: W/o this patch, with minimal instrumentation [1], I can consistently reproduce BUG: KASAN: use-after-free [2]] [1] Instrumentation to reproduce issue [2]: diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c index a72295c953bb..bd0b308024fe 100644 --- a/drivers/usb/gadget/function/u_audio.c +++ b/drivers/usb/gadget/function/u_audio.c @@ -16,6 +16,7 @@ #include <sound/core.h> #include <sound/pcm.h> #include <sound/pcm_params.h> +#include <linux/delay.h> #include "u_audio.h" @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) spin_unlock_irqrestore(&prm->lock, flags); + udelay(500); //delay here to increase probability of parallel activities + /* Pack USB load in ALSA ring buffer */ pending = prm->dma_bytes - hw_ptr; [2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board: ================================================================== BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio] Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ rockchip-linux#160 Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) Call trace: [<ffff2000080925ac>] dump_backtrace+0x0/0x364 [<ffff200008092924>] show_stack+0x14/0x1c [<ffff200008f8dbcc>] dump_stack+0x108/0x174 [<ffff2000083c71b8>] print_address_description+0x7c/0x32c [<ffff2000083c78e8>] kasan_report+0x324/0x354 [<ffff2000083c6114>] __asan_load8+0x24/0x94 [<ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio] [<ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core] [<ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs] [<ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs] [<ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs] [<ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs] [<ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58 [<ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c [<ffff2000081a0928>] handle_irq_event+0xb0/0x10c [<ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec [<ffff20000819e5f8>] generic_handle_irq+0x2c/0x44 [<ffff20000819f0d0>] __handle_domain_irq+0x190/0x194 [<ffff20000808177c>] gic_handle_irq+0x80/0xac Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0) 7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298 7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88 7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b 7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001 7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80 7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480 7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980 7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0 7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498 7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0 [<ffff200008084034>] el1_irq+0xb4/0x12c [<ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844 [<ffff200008b6c59c>] cpuidle_enter+0x18/0x20 [<ffff20000815f2e4>] call_cpuidle+0x98/0x9c [<ffff20000815f674>] do_idle+0x214/0x264 [<ffff20000815facc>] cpu_startup_entry+0x20/0x24 [<ffff200008fb09d8>] rest_init+0x30c/0x320 [<ffff2000095f1338>] start_kernel+0x570/0x5b0 ---<-snip->--- Fixes: 132fcb4 ("usb: gadget: Add Audio Class 2.0 Driver") Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

…ream spinlock The change protects almost the whole body of u_audio_iso_complete() function by PCM stream lock, this is mainly sufficient to avoid a race between USB request completion and stream termination, the change prevents a possibility of invalid memory access in interrupt context by memcpy(): Unable to handle kernel paging request at virtual address 00004e80 pgd = c0004000 [00004e80] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ #117 task: da180b80 ti: da192000 task.ti: da192000 PC is at memcpy+0x50/0x330 LR is at 0xcdd92b0e pc : [<c029ef30>] lr : [<cdd92b0e>] psr: 20000193 sp : da193ce4 ip : dd86ae26 fp : 0000b180 r10: daf81680 r9 : 00000000 r8 : d58a01ea r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377 r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 2b70804a DAC: 00000015 Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238) Also added a check for potential !runtime condition, commonly it is done by PCM_RUNTIME_CHECK(substream) in the beginning, however this does not completely prevent from oopses in u_audio_iso_complete(), because the proper protection scheme must be implemented in PCM library functions. An example of *not fixed* oops due to substream->runtime->* dereference by snd_pcm_running(substream) from snd_pcm_period_elapsed(), where substream->runtime is gone while waiting the substream lock: Unable to handle kernel paging request at virtual address 6b6b6b6b pgd = db7e4000 [6b6b6b6b] *pgd=00000000 CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ #118 task: db5ac500 ti: db60c000 task.ti: db60c000 PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm] LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm] pc : [<>] lr : [<>] psr: 60000193 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 2b7e404a DAC: 00000015 Process klogd (pid: 193, stack limit = 0xdb60c238) [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc) [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304) [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c) [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c) [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110) [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30) [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0) [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60) [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78) Change-Id: I0b0e20f1aaf7c093c7fc198128186cfb637bdbf4 Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com> [erosca: W/o this patch, with minimal instrumentation [1], I can consistently reproduce BUG: KASAN: use-after-free [2]] [1] Instrumentation to reproduce issue [2]: diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c index a72295c953bb..bd0b308024fe 100644 --- a/drivers/usb/gadget/function/u_audio.c +++ b/drivers/usb/gadget/function/u_audio.c @@ -16,6 +16,7 @@ #include <sound/core.h> #include <sound/pcm.h> #include <sound/pcm_params.h> +#include <linux/delay.h> #include "u_audio.h" @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) spin_unlock_irqrestore(&prm->lock, flags); + udelay(500); //delay here to increase probability of parallel activities + /* Pack USB load in ALSA ring buffer */ pending = prm->dma_bytes - hw_ptr; [2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board: ================================================================== BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio] Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ #160 Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) Call trace: [<ffff2000080925ac>] dump_backtrace+0x0/0x364 [<ffff200008092924>] show_stack+0x14/0x1c [<ffff200008f8dbcc>] dump_stack+0x108/0x174 [<ffff2000083c71b8>] print_address_description+0x7c/0x32c [<ffff2000083c78e8>] kasan_report+0x324/0x354 [<ffff2000083c6114>] __asan_load8+0x24/0x94 [<ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio] [<ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core] [<ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs] [<ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs] [<ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs] [<ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs] [<ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58 [<ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c [<ffff2000081a0928>] handle_irq_event+0xb0/0x10c [<ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec [<ffff20000819e5f8>] generic_handle_irq+0x2c/0x44 [<ffff20000819f0d0>] __handle_domain_irq+0x190/0x194 [<ffff20000808177c>] gic_handle_irq+0x80/0xac Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0) 7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298 7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88 7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b 7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001 7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80 7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480 7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980 7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0 7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498 7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0 [<ffff200008084034>] el1_irq+0xb4/0x12c [<ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844 [<ffff200008b6c59c>] cpuidle_enter+0x18/0x20 [<ffff20000815f2e4>] call_cpuidle+0x98/0x9c [<ffff20000815f674>] do_idle+0x214/0x264 [<ffff20000815facc>] cpu_startup_entry+0x20/0x24 [<ffff200008fb09d8>] rest_init+0x30c/0x320 [<ffff2000095f1338>] start_kernel+0x570/0x5b0 ---<-snip->--- Fixes: 132fcb4 ("usb: gadget: Add Audio Class 2.0 Driver") Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: William Wu <william.wu@rock-chips.com> (cherry picked from commit 56bc615)

…ream spinlock The change protects almost the whole body of u_audio_iso_complete() function by PCM stream lock, this is mainly sufficient to avoid a race between USB request completion and stream termination, the change prevents a possibility of invalid memory access in interrupt context by memcpy(): Unable to handle kernel paging request at virtual address 00004e80 pgd = c0004000 [00004e80] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ rockchip-linux#117 task: da180b80 ti: da192000 task.ti: da192000 PC is at memcpy+0x50/0x330 LR is at 0xcdd92b0e pc : [<c029ef30>] lr : [<cdd92b0e>] psr: 20000193 sp : da193ce4 ip : dd86ae26 fp : 0000b180 r10: daf81680 r9 : 00000000 r8 : d58a01ea r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377 r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 2b70804a DAC: 00000015 Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238) Also added a check for potential !runtime condition, commonly it is done by PCM_RUNTIME_CHECK(substream) in the beginning, however this does not completely prevent from oopses in u_audio_iso_complete(), because the proper protection scheme must be implemented in PCM library functions. An example of *not fixed* oops due to substream->runtime->* dereference by snd_pcm_running(substream) from snd_pcm_period_elapsed(), where substream->runtime is gone while waiting the substream lock: Unable to handle kernel paging request at virtual address 6b6b6b6b pgd = db7e4000 [6b6b6b6b] *pgd=00000000 CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ rockchip-linux#118 task: db5ac500 ti: db60c000 task.ti: db60c000 PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm] LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm] pc : [<>] lr : [<>] psr: 60000193 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 2b7e404a DAC: 00000015 Process klogd (pid: 193, stack limit = 0xdb60c238) [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc) [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304) [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c) [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c) [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110) [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30) [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0) [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60) [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78) Change-Id: I0b0e20f1aaf7c093c7fc198128186cfb637bdbf4 Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com> [erosca: W/o this patch, with minimal instrumentation [1], I can consistently reproduce BUG: KASAN: use-after-free [2]] [1] Instrumentation to reproduce issue [2]: diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c index a72295c953bb..bd0b308024fe 100644 --- a/drivers/usb/gadget/function/u_audio.c +++ b/drivers/usb/gadget/function/u_audio.c @@ -16,6 +16,7 @@ #include <sound/core.h> #include <sound/pcm.h> #include <sound/pcm_params.h> +#include <linux/delay.h> #include "u_audio.h" @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) spin_unlock_irqrestore(&prm->lock, flags); + udelay(500); //delay here to increase probability of parallel activities + /* Pack USB load in ALSA ring buffer */ pending = prm->dma_bytes - hw_ptr; [2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board: ================================================================== BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio] Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ rockchip-linux#160 Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) Call trace: [<ffff2000080925ac>] dump_backtrace+0x0/0x364 [<ffff200008092924>] show_stack+0x14/0x1c [<ffff200008f8dbcc>] dump_stack+0x108/0x174 [<ffff2000083c71b8>] print_address_description+0x7c/0x32c [<ffff2000083c78e8>] kasan_report+0x324/0x354 [<ffff2000083c6114>] __asan_load8+0x24/0x94 [<ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio] [<ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core] [<ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs] [<ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs] [<ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs] [<ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs] [<ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58 [<ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c [<ffff2000081a0928>] handle_irq_event+0xb0/0x10c [<ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec [<ffff20000819e5f8>] generic_handle_irq+0x2c/0x44 [<ffff20000819f0d0>] __handle_domain_irq+0x190/0x194 [<ffff20000808177c>] gic_handle_irq+0x80/0xac Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0) 7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298 7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88 7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b 7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001 7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80 7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480 7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980 7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0 7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498 7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0 [<ffff200008084034>] el1_irq+0xb4/0x12c [<ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844 [<ffff200008b6c59c>] cpuidle_enter+0x18/0x20 [<ffff20000815f2e4>] call_cpuidle+0x98/0x9c [<ffff20000815f674>] do_idle+0x214/0x264 [<ffff20000815facc>] cpu_startup_entry+0x20/0x24 [<ffff200008fb09d8>] rest_init+0x30c/0x320 [<ffff2000095f1338>] start_kernel+0x570/0x5b0 ---<-snip->--- Fixes: 132fcb4 ("usb: gadget: Add Audio Class 2.0 Driver") Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: William Wu <william.wu@rock-chips.com> (cherry picked from commit 56bc615)

peppelinux · 2020-09-21T12:14:10Z

Got it to work here:
https://github.com/peppelinux/Radxa-Rock-RK3188/blob/master/README.md

now I'm compiling rockchip-linux 4.4 instead of linux-stable 5.8.7, further updates on that repository.
Don't know why you're encourring in that, I've added init= parameter in boot arguments, I can see systemd starting properly

peppelinux · 2020-09-21T12:45:51Z

Got this

Loading ARM Linux zImage '/mnt/mshc1.0/zImage'
zImage: concatenated oftree detected
commandline: <NULL>
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.4.194 (root@peppelinux-desktop) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu1) ) #1 SMP PREEMPT Mon Sep 21 14:29:25 CEST 2020
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Radxa Rock
[    0.000000] cma: Reserved 16 MiB at 0xdf000000
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 13 pages/cpu @eeda7000 s23948 r8192 d21108 u53248
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 522560
[    0.000000] Kernel command line: console=ttyS2,115200  root=/dev/mmcblk0p2 rootwait init=/init
[    0.000000] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Memory: 2041400K/2097152K available (10240K kernel code, 1193K rwdata, 4160K rodata, 1024K init, 2163K bss, 39368K reserved, 16384K cma-reserved, 1294336K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xf0800000 - 0xff800000   ( 240 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xf0000000   ( 768 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0008000 - 0xc0b00000   (11232 kB)
[    0.000000]       .init : 0xc1000000 - 0xc1100000   (1024 kB)
[    0.000000]       .data : 0xc1100000 - 0xc122a458   (1194 kB)
[    0.000000]        .bss : 0xc122c000 - 0xc1448da4   (2164 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000] 	Build-time adjustment of leaf fanout to 32.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000021] sched_clock: 64 bits at 150MHz, resolution 6ns, wraps every 2199023255551ns
[    0.000056] clocksource: arm_global_timer: mask: 0xffffffffffffffff max_cycles: 0x2298375bd0, max_idle_ns: 440795208267 ns
[    0.001227] Calibrating delay loop... 1194.16 BogoMIPS (lpj=1990656)
[    0.040248] pid_max: default: 32768 minimum: 301
[    0.040370] Security Framework initialized
[    0.040391] SELinux:  Initializing.
[    0.040531] Mount-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.040556] Mountpoint-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.041729] Initializing cgroup subsys memory
[    0.041791] Initializing cgroup subsys freezer
[    0.041889] CPU: Testing write buffer coherency: ok
[    0.042531] CPU0: update cpu_capacity 1024
[    0.042556] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.042684] Setting up static identity map for 0x60100000 - 0x60100058
[    0.090418] Brought up 1 CPUs
[    0.090445] SMP: Total of 1 processors activated (1194.16 BogoMIPS).
[    0.090457] CPU: All CPU(s) started in SVC mode.
[    0.092163] devtmpfs: initialized
[    0.104126] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[    0.105136] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6370867519511994 ns
[    0.105193] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.108924] pinctrl core: initialized pinctrl subsystem
[    0.110968] NET: Registered protocol family 16
[    0.113069] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.133638] cpuidle: using governor ladder
[    0.160299] cpuidle: using governor menu
[    0.160392] Registered FIQ tty driver
[    0.177995] hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
[    0.178018] hw-breakpoint: maximum watchpoint size is 4 bytes.
[    0.262724] sdmmc-supply: regulator get failed, ret=-517
[    0.265499] SCSI subsystem initialized
[    0.266017] usbcore: registered new interface driver usbfs
[    0.266142] usbcore: registered new interface driver hub
[    0.266549] usbcore: registered new device driver usb
[    0.267982] media: Linux media interface: v0.10
[    0.268091] Linux video capture interface: v2.00
[    0.268565] pps_core: LinuxPPS API ver. 1 registered
[    0.268585] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.268661] PTP clock support registered
[    0.271449] Advanced Linux Sound Architecture Driver Initialized.
[    0.272526] Bluetooth: Core ver 2.21
[    0.272644] NET: Registered protocol family 31
[    0.272661] Bluetooth: HCI device and connection manager initialized
[    0.272690] Bluetooth: HCI socket layer initialized
[    0.272713] Bluetooth: L2CAP socket layer initialized
[    0.272807] Bluetooth: SCO socket layer initialized
[    0.278582] clocksource: Switched to clocksource arm_global_timer
[    0.387797] rga: Module initialized.
[    0.392026] NET: Registered protocol family 2
[    0.393152] TCP established hash table entries: 8192 (order: 3, 32768 bytes)
[    0.393271] TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
[    0.393445] TCP: Hash tables configured (established 8192 bind 8192)
[    0.393693] UDP hash table entries: 512 (order: 2, 16384 bytes)
[    0.393769] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
[    0.394184] NET: Registered protocol family 1
[    0.405481] audit: initializing netlink subsys (disabled)
[    0.405581] audit: type=2000 audit(0.400:1): initialized
[    0.427734] VFS: Disk quotas dquot_6.6.0
[    0.428009] VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
[    0.430092] Registering sdcardfs 0.1
[    0.430694] fuse init (API version 7.23)
[    0.433940] 
[    0.433940] TEE Core Framework initialization (ver 1:0.1)
[    0.434015] tee: kernel is running in secure mode, tee service unavailable.
[    0.450922] bounce: pool size: 64 pages
[    0.451230] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 247)
[    0.451277] io scheduler noop registered
[    0.451305] io scheduler deadline registered
[    0.451546] io scheduler cfq registered (default)
[    0.457708] Module initialized.
[    0.460748] dma-pl330 20018000.dma-controller: Loaded driver for PL330 DMAC-241330
[    0.460778] dma-pl330 20018000.dma-controller: 	DBUFF-32x8bytes Num_Chans-6 Num_Peri-12 Num_Events-12
[    0.464709] dma-pl330 20078000.dma-controller: Loaded driver for PL330 DMAC-241330
[    0.464741] dma-pl330 20078000.dma-controller: 	DBUFF-64x8bytes Num_Chans-7 Num_Peri-20 Num_Events-14
[    0.467228] Serial: 8250/16550 driver, 5 ports, IRQ sharing disabled
[    0.468129] 10124000.serial: ttyS0 at MMIO 0x10124000 (irq = 22, base_baud = 1500000) is a 16550A
[    0.469191] 10126000.serial: ttyS1 at MMIO 0x10126000 (irq = 23, base_baud = 1500000) is a 16550A
[    0.470463] 20064000.serial: ttyS2 at MMIO 0x20064000 (irq = 30, base_baud = 1500000) is a 16550A
[    1.111879] console [ttyS2] enabled
[    1.116391] 20068000.serial: ttyS3 at MMIO 0x20068000 (irq = 31, base_baud = 1500000) is a 16550A
[    1.126887] [drm] Initialized drm 1.1.0 20060810
[    1.264404] brd: module loaded
[    1.321438] loop: module loaded
[    1.331333] zram: Added device: zram0
[    1.341211] SCSI Media Changer driver v0.25 
[    1.346423] tun: Universal TUN/TAP device driver, 1.6
[    1.351558] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    1.358792] PPP generic driver version 2.4.2
[    1.363772] PPP BSD Compression module registered
[    1.368655] PPP Deflate Compression module registered
[    1.373817] PPP MPPE Compression module registered
[    1.378782] NET: Registered protocol family 24
[    1.383390] SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256) (6 bit encapsulation enabled).
[    1.393168] CSLIP: code copyright 1989 Regents of the University of California.
[    1.400571] Rockchip WiFi SYS interface (V1.00) ... 
[    1.405899] usbcore: registered new interface driver catc
[    1.411535] usbcore: registered new interface driver kaweth
[    1.417198] pegasus: v0.9.3 (2013/04/25), Pegasus/Pegasus II USB Ethernet driver
[    1.424771] usbcore: registered new interface driver pegasus
[    1.430646] usbcore: registered new interface driver rtl8150
[    1.436519] usbcore: registered new interface driver r8152
[    1.442091] hso: drivers/net/usb/hso.c: Option Wireless
[    1.447557] usbcore: registered new interface driver hso
[    1.453083] usbcore: registered new interface driver asix
[    1.458699] usbcore: registered new interface driver ax88179_178a
[    1.465005] usbcore: registered new interface driver cdc_ether
[    1.471049] usbcore: registered new interface driver cdc_eem
[    1.476986] usbcore: registered new interface driver dm9601
[    1.482788] usbcore: registered new interface driver smsc75xx
[    1.488778] usbcore: registered new interface driver smsc95xx
[    1.494747] usbcore: registered new interface driver gl620a
[    1.500536] usbcore: registered new interface driver net1080
[    1.506405] usbcore: registered new interface driver plusb
[    1.512104] usbcore: registered new interface driver rndis_host
[    1.518229] usbcore: registered new interface driver cdc_subset
[    1.524357] usbcore: registered new interface driver zaurus
[    1.530146] usbcore: registered new interface driver MOSCHIP usb-ethernet driver
[    1.537790] usbcore: registered new interface driver int51x1
[    1.543726] usbcore: registered new interface driver kalmia
[    1.549518] usbcore: registered new interface driver ipheth
[    1.555292] usbcore: registered new interface driver sierra_net
[    1.561421] usbcore: registered new interface driver cx82310_eth
[    1.567645] usbcore: registered new interface driver cdc_ncm
[    1.573511] usbcore: registered new interface driver qmi_wwan
[    1.579470] usbcore: registered new interface driver cdc_mbim
[    1.585634] 10180000.usb supply vusb_d not found, using dummy regulator
[    1.592481] 10180000.usb supply vusb_a not found, using dummy regulator
[    1.803685] dwc2 10180000.usb: EPs: 10, dedicated fifos, 972 entries in SPRAM
[    1.817377] dwc2 10180000.usb: DWC OTG Controller
[    1.822287] dwc2 10180000.usb: new USB bus registered, assigned bus number 1
[    1.829464] dwc2 10180000.usb: irq 24, io mem 0x10180000
[    1.835330] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    1.842192] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    1.849467] usb usb1: Product: DWC OTG Controller
[    1.854222] usb usb1: Manufacturer: Linux 4.4.194 dwc2_hsotg
[    1.859931] usb usb1: SerialNumber: 10180000.usb
[    1.865817] hub 1-0:1.0: USB hub found
[    1.869829] hub 1-0:1.0: 1 port detected
[    1.875180] 101c0000.usb supply vusb_d not found, using dummy regulator
[    1.882097] 101c0000.usb supply vusb_a not found, using dummy regulator
[    2.000500] dwc2 101c0000.usb: DWC OTG Controller
[    2.005410] dwc2 101c0000.usb: new USB bus registered, assigned bus number 2
[    2.012587] dwc2 101c0000.usb: irq 25, io mem 0x101c0000
[    2.018638] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
[    2.025508] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    2.032785] usb usb2: Product: DWC OTG Controller
[    2.037544] usb usb2: Manufacturer: Linux 4.4.194 dwc2_hsotg
[    2.043251] usb usb2: SerialNumber: 101c0000.usb
[    2.049114] hub 2-0:1.0: USB hub found
[    2.053126] hub 2-0:1.0: 1 port detected
[    2.059713] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.066433] ehci-platform: EHCI generic platform driver
[    2.072046] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.078459] ohci-platform: OHCI generic platform driver
[    2.084242] usbcore: registered new interface driver cdc_acm
[    2.090063] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[    2.098330] usbcore: registered new interface driver usblp
[    2.104142] usbcore: registered new interface driver cdc_wdm
[    2.110127] usbcore: registered new interface driver usb-storage
[    2.116368] usbcore: registered new interface driver ums-alauda
[    2.122512] usbcore: registered new interface driver ums-cypress
[    2.128739] usbcore: registered new interface driver ums-datafab
[    2.134959] usbcore: registered new interface driver ums-freecom
[    2.141203] usbcore: registered new interface driver ums-isd200
[    2.147343] usbcore: registered new interface driver ums-jumpshot
[    2.153697] usbcore: registered new interface driver ums-karma
[    2.159744] usbcore: registered new interface driver ums-onetouch
[    2.166059] usbcore: registered new interface driver ums-sddr09
[    2.172200] usbcore: registered new interface driver ums-sddr55
[    2.178336] usbcore: registered new interface driver ums-usbat
[    2.184526] usbcore: registered new interface driver usbserial
[    2.190562] usbcore: registered new interface driver usbserial_generic
[    2.197234] usbserial: USB Serial support registered for generic
[    2.203472] usbcore: registered new interface driver option
[    2.209207] usbserial: USB Serial support registered for GSM modem (1-port)
[    2.216730] usbcore: registered new interface driver trancevibrator
[    2.223108] usb20_otg: version 3.10a 21-DEC-2012
[    2.228125] usb20_host: version 3.10a 21-DEC-2012
[    2.240924] usbcore: registered new interface driver xpad
[    2.254093] sensor_register_slave:mma8452,id=17
[    2.258794] sensor_register_slave:lis3dh,id=7
[    2.263232] sensor_register_slave:mma7660,id=18
[    2.267829] sensor_register_slave:lsm303d,id=23
[    2.272420] sensor_register_slave:gs_mc3230,id=24
[    2.277169] [Gsensor]   gsensor_init
[    2.280806] sensor_register_slave:mpu6880_acc,id=25
[    2.285743] sensor_register_slave:mpu6500_acc,id=26
[    2.290678] sensor_register_slave:lsm330_acc,id=27
[    2.295528] sensor_register_slave:akm8975,id=31
[    2.300118] sensor_register_slave:akm8963,id=32
[    2.304709] sensor_register_slave:l3g4200d,id=46
[    2.309383] sensor_register_slave:l3g20d,id=47
[    2.313885] sensor_register_slave:ewtsa,id=48
[    2.318302] sensor_register_slave:lsm330_gyro,id=52
[    2.323241] sensor_register_slave:cm3217,id=54
[    2.327741] sensor_register_slave:cm3218,id=55
[    2.334214] i2c /dev entries driver
[    2.345196] rtc-hym8563 1-0051: rtc core: registered hym8563 as rtc0
[    2.353496] REG1: supplied by vsys
[    2.359371] REG2: supplied by vsys
[    2.365565] REG3: supplied by vsys
[    2.371785] REG4: supplied by vsys
[    2.376025] VCC_IO: Bringing 3000000uV into 3300000-3300000uV
[    2.384929] sdmmc-supply: supplied by VCC_IO
[    2.389776] REG5: supplied by VCC_IO
[    2.396096] REG6: supplied by VCC_IO
[    2.400798] VDD_HDMI: Bringing 1200000uV into 2500000-2500000uV
[    2.410039] REG7: supplied by VCC_IO
[    2.416596] REG8: supplied by vsys
[    2.422732] REG9: supplied by vsys
[    2.427930] REG10: supplied by vsys
[    2.434523] REG11: supplied by vsys
[    2.440535] REG12: supplied by vsys
[    2.446712] rk3x-i2c 2002f000.i2c: Initialized RK3xxx I2C bus at f0932000
[    2.455018] IR NEC protocol handler initialized
[    2.459653] IR RC5(x/sz) protocol handler initialized
[    2.464781] IR RC6 protocol handler initialized
[    2.469378] IR JVC protocol handler initialized
[    2.473974] IR Sony protocol handler initialized
[    2.478651] IR SANYO protocol handler initialized
[    2.483417] IR Sharp protocol handler initialized
[    2.488443] IR MCE Keyboard/mouse protocol handler initialized
[    2.494368] IR XMP protocol handler initialized
[    2.500175] usbcore: registered new interface driver uvcvideo
[    2.506003] USB Video Class driver (1.1.1)
[    2.510192] CamSys driver version: v0.48.2, CamSys head file version: v1.0.0
[    2.517802] test_power_init: could not find dev node
[    2.524172] Boot mode: coldboot
[    2.528462] device-mapper: uevent: version 1.0.3
[    2.533985] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com
[    2.547101] device-mapper: verity-avb: AVB error handler initialized with vbmeta device: 
[    2.555448] Bluetooth: HCI UART driver ver 2.3
[    2.560048] Bluetooth: HCI UART protocol H4 registered
[    2.565318] usb 2-1: new high-speed USB device number 2 using dwc2
[    2.571630] Bluetooth: HCI UART protocol LL registered
[    2.577082] rtk_btusb: RTKBT_RELEASE_NAME: 20200318_BT_ANDROID_9.0
[    2.583511] rtk_btusb: Realtek Bluetooth USB driver module init, version 5.2.1
[    2.590791] rtk_btusb: Register usb char device interface for BT driver
[    2.598016] usbcore: registered new interface driver rtk_btusb
[    2.604184] cpu cpu0: OPP-v2 not supported
[    2.611311] cpu cpu0: OPP-v2 not supported
[    2.616099] Synopsys Designware Multimedia Card Interface Driver
[    2.623317] dwmmc_rockchip 10214000.dwmmc: Using PIO mode.
[    2.628908] dwmmc_rockchip 10214000.dwmmc: Version ID is 240a
[    2.634888] dwmmc_rockchip 10214000.dwmmc: DW MMC controller at irq 27,32 bit host data width,256 deep fifo
[    2.644961] dwmmc_rockchip 10214000.dwmmc: No vqmmc regulator found
[    2.783233] dwmmc_rockchip 10214000.dwmmc: 1 slots initialized
[    2.793070] hidraw: raw HID events driver (C) Jiri Kosina
[    2.802481] usb 2-1: New USB device found, idVendor=05e3, idProduct=0608

IT seems to me that:
mmcblk0 haven't been recognized (we use this in the kernel command line)
that serial connections stops

peppelinux · 2020-09-21T15:31:04Z

using vanilla kernel 5.8.7 I can get a working prompt instead
https://github.com/peppelinux/Radxa-Rock-RK3188/blob/master/batrebox_rk3188_serial.log

my kernel configuration is here:
https://github.com/peppelinux/Radxa-Rock-RK3188/blob/master/linux-5.8.7.config

you can also read the README with my build instruction.

Calling uaccess ops from ftl.S will link to arm_copy_from_user directly and result in page domain fault. So I add it to c code. [ 48.045091] Unhandled fault: page domain fault (0x01b) at 0xbe822790 [ 48.054152] pgd = cda78000 [ 48.056867] [be822790] *pgd=6da16835, *pte=61b5175f, *ppte=61b51c7f [ 48.063213] Internal error: : 1b [#1] SMP ARM [ 48.067570] Modules linked in: 8821cs [ 48.071292] CPU: 1 PID: 595 Comm: vendor_storage Not tainted 4.4.194 #117 [ 48.078083] Hardware name: Generic DT based system [ 48.082884] task: cd0c6580 task.stack: cda94000 [ 48.087432] PC is at arm_copy_from_user+0xc8/0x3d8 [ 48.092230] LR is at rk_sftl_vendor_storage_ioctl+0x78/0x20c Change-Id: I1edc9167ac027de3b06768cf718e706074233ae4 Signed-off-by: Jon Lin <jon.lin@rock-chips.com>

Internal error: Oops - BUG: 0 [#1] THUMB2 Modules linked in: CPU: 0 PID: 271 Comm: busybox Not tainted 5.10.110 #117 Hardware name: Generic DT based system PC is at __vm_insert_mixed+0x1e/0xda LR is at vmf_insert_mixed+0xf/0x12 pc : [<b005a8d0>] lr : [<b005a9ad>] psr: 20000133 sp : b668fdb0 ip : 00000000 fp : 00000000 r10: 00000000 r9 : b0bb25a8 r8 : 00005001 r7 : 00010000 r6 : 000043a8 r5 : b6656528 r4 : 0000018f r3 : 00007ffb r2 : 00005001 r1 : 00010000 r0 : b6656528 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user Control: 50c53c7d Table: 00d6c059 DAC: 00000055 Process busybox (pid: 271, stack limit = 0xaf1f1034) [<b005a8d0>] (__vm_insert_mixed) from [<b005a9ad>] (vmf_insert_mixed+0xf/0x12) [<b005a9ad>] (vmf_insert_mixed) from [<b0094ef5>] (dax_iomap_pte_fault+0x429/0x470) [<b0094ef5>] (dax_iomap_pte_fault) from [<b0130bdf>] (erofs_dax_huge_fault+0xf/0x18) [<b0130bdf>] (erofs_dax_huge_fault) from [<b005963d>] (__do_fault+0x23/0x3a) [<b005963d>] (__do_fault) from [<b005afa3>] (handle_mm_fault+0x259/0x45e) [<b005afa3>] (handle_mm_fault) from [<b000f98f>] (do_page_fault+0x10f/0x184) [<b000f98f>] (do_page_fault) from [<b000facf>] (do_DataAbort+0x27/0x80) [<b000facf>] (do_DataAbort) from [<b000902f>] (__dabt_usr+0x4f/0x60) Signed-off-by: Tao Huang <huangtao@rock-chips.com> Change-Id: Id241bf92d60a473dc6baa88d65bb17a775875713

Using netconsole netpoll_poll_dev could be called from interrupt context, thus using disable_irq() would cause the following kernel warning with CONFIG_DEBUG_ATOMIC_SLEEP enabled: BUG: sleeping function called from invalid context at kernel/irq/manage.c:137 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 10, name: ksoftirqd/0 CPU: 0 PID: 10 Comm: ksoftirqd/0 Tainted: G W 5.15.42-00075-g816b502b2298-dirty rockchip-linux#117 Hardware name: aml (r1) (DT) Call trace: dump_backtrace+0x0/0x270 show_stack+0x14/0x20 dump_stack_lvl+0x8c/0xac dump_stack+0x18/0x30 ___might_sleep+0x150/0x194 __might_sleep+0x64/0xbc synchronize_irq+0x8c/0x150 disable_irq+0x2c/0x40 stmmac_poll_controller+0x140/0x1a0 netpoll_poll_dev+0x6c/0x220 netpoll_send_skb+0x308/0x390 netpoll_send_udp+0x418/0x760 write_msg+0x118/0x140 [netconsole] console_unlock+0x404/0x500 vprintk_emit+0x118/0x250 dev_vprintk_emit+0x19c/0x1cc dev_printk_emit+0x90/0xa8 __dev_printk+0x78/0x9c _dev_warn+0xa4/0xbc ath10k_warn+0xe8/0xf0 [ath10k_core] ath10k_htt_txrx_compl_task+0x790/0x7fc [ath10k_core] ath10k_pci_napi_poll+0x98/0x1f4 [ath10k_pci] __napi_poll+0x58/0x1f4 net_rx_action+0x504/0x590 _stext+0x1b8/0x418 run_ksoftirqd+0x74/0xa4 smpboot_thread_fn+0x210/0x3c0 kthread+0x1fc/0x210 ret_from_fork+0x10/0x20 Since [0] .ndo_poll_controller is only needed if driver doesn't or partially use NAPI. Because stmmac does so, stmmac_poll_controller can be removed fixing the above warning. [0] commit ac3d9dd ("netpoll: make ndo_poll_controller() optional") Cc: <stable@vger.kernel.org> # 5.15.x Fixes: 47dd7a5 ("net: add support for STMicroelectronics Ethernet controllers") Signed-off-by: Remi Pommarel <repk@triplefau.lt> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/1c156a6d8c9170bd6a17825f2277115525b4d50f.1696429960.git.repk@triplefau.lt Signed-off-by: Jakub Kicinski <kuba@kernel.org>

…terfaces [ Upstream commit cb5942b ] wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ rockchip-linux#117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/ Fixes: 8399918 ("staging: wilc1000: use RCU list to maintain vif interfaces list") Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://msgid.link/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@bootlin.com Signed-off-by: Sasha Levin <sashal@kernel.org>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stop booting in RK3188 #117

Stop booting in RK3188 #117

dcostan commented Aug 11, 2018

peppelinux commented Sep 21, 2020

peppelinux commented Sep 21, 2020

peppelinux commented Sep 21, 2020

Stop booting in RK3188 #117

Stop booting in RK3188 #117

Comments

dcostan commented Aug 11, 2018

peppelinux commented Sep 21, 2020

peppelinux commented Sep 21, 2020

peppelinux commented Sep 21, 2020